LAS VEGAS–The pervasive bulk surveillance performed by the NSA and other government agencies that’s been revealed in recent weeks relies on court orders, as do other kinds of legal access operations, such as wiretapping or lawful intercepts. Those orders are shrouded in secrecy and the organizations that receive them often comply immediately without asking any questions, a response that can sometimes be a mistake.
The FBI uses orders known as national security letters to request information from a variety of organizations as part of investigations relating to terrorism and other national security matters. In most cases, the recipients of those letters are not allowed to disclose that they received one or seek help from other people inside their own organizations. That was the case when Brewster Kahle of the Internet Archive received a national security letter in 2008. The FBI was demanding information on searches performed on the site by a specific set of users.
Kahle, the founder of the Internet Archive, a massive online library and record of the Web, was shocked by the letter and immediately notified the lawyers at the EFF, who gave him some bad news.
“They said, ‘This is not a good day for you, Brewster’,” Kahle said during a panel discussion on legal access at the Black Hat USA 2013 conference here Wednesday. “We’re in the business of answering questions for people and I didn’t know what to do.”
What he didn’t want to do was hand over the information. So, after discussions with the EFF, Kahle and the Internet Archive decided to challenge the letter in court; they sued the federal government. Only a tiny number of recipients of national security letters are known to have challenged them, and the FBI eventually relented, saying that it didn’t need the data after all. However, that wasn’t the end of it. Kahle wanted to disclose publicly what had happened and to give other organizations that might be in his position a playbook to follow. So after months of negotiation, he eventually got approval to do that, with a few restrictions.
The lesson, Kahle said, is that not only can organizations challenge such letters, but that they should assess all of their options before complying.
“You can do it and you often have far more friends than you can imagine,” he said.
National security letters are just one of the tools that law enforcement and intelligence agencies use to request information from ISPs, phone companies and many other organizations. In some circumstances, they’re not necessary and the agency simply makes a request of a company to install a tap or collection point in their network or data center. That kind of wiretapping is often done as part of an ongoing criminal investigation, but Matt Blaze, a professor at the University of Pennsylvania, said that the installation of that kind of equipment can often lead to other problems.
“What nobody is asking is if the implementation of a wiretap creates the opportunity for other crimes by weakening our existing infrastructure,” he said. “The best example of this is CALEA. Every one of the units that was evaluated by the National Security Agency for potential use was found to have security holes.”
CALEA (Communications Assistance for Law Enforcement Agencies) was passed as way to give law enforcement agencies the ability to conduct electronic surveillance on the Internet and other emerging platforms. Alan Davidson, a visiting scholar at MIT and former public policy lawyer for Google, said on the panel that all of the changes to laws and technology in recent years have made surveillance on a broad scale so much simpler for intelligence and law enforcement agencies.
“We live in a golden age of wiretapping right now,” he said.
But, he added, the operations conducted by the U.S. and other governments may have some serious unintended consequences in the coming months and years.
“The data shows that people care about their privacy quite a bit. Secret surveillance scales poorly, especially internationally. There’s a real risk that we’re going to see a real impact to business because of these revelations and people may insist that they keep their data in their own countries,” he said.